New HybridPetya Ransomware Bypasses UEFI Secure Boot With CVE-2024-7344 Exploit
What is Patya Ransomeware
Computers running Microsoft Windows are infected by the encryption malware family Petya. In order to run a payload that encrypts data on compromised hard drive systems, Petya infects the master boot record. Only after the victim gives the encryption key—typically after paying the attacker a ransom—is the data unlocked.
Even the highly secure enterprise environments are at serious risk from bypassing UEFI Secure Boot or UEFI Secure Boot bypass. The ransomware By encrypting the Master File Table (MFT), the HybridPetya effectively preventing access to files on Windows. Ransomware Bypasses UEFI become a great threat who could not applied the fix !
A new strain of ransomware called HybridPetya has been discovered by researchers. It combines the destructive capabilities of NotPetya with the encryption strategies of Petya. On unrevoked Windows systems, the malware circumvents UEFI Secure Boot by taking advantage of a patched vulnerability.
By taking advantage of CVE-2024-7344, it can get around UEFI Secure Boot safeguards. HybridPetya covers encryption with a fake CHKDSK process, installs a malicious bootkit into the EFI System Partition, and forces a machine reboot.
IMPROVEMENT
Also See Zero Trust Always Verify
BEST PRACTICE |
|
|
Regular Backups of critical data |
Deploy Microsoft Secure Boot Updates |
|
Deploy End Point Protection capable of detecting bootloader tampering & ransomware bootkit |
Keep UEFI Firmware updated across all systems |
|
Implement file integrity monitoring for \EFI\Microsoft\Boot |
Good to have IOCs integrated with deployed EDR Solution |
IOCs (file hashes, signatures)
are a major component of traditional antivirus software. Even in the absence of an IOC, contemporary EDR solutions employ behavioral detection, machine learning, and heuristics to detect unknown or "zero-day" attacks.
However, current IOCs are important because they offer rapid, highly reliable identification of known ransomware.
See Also Why SOC 2 Security & Privacy is separatly mentioned with CIA
Protect organizations against UEFI
Firmware and UEFI components should be considered part of the software attack surface in order to defend organizations against HybridPetya. Administrators should make sure Secure Boot is set up correctly, audit and update UEFI firmware on a regular basis, and disable or uninstall any vulnerable third-party bootloaders, such as Howyar Reloader. In order to find early indications of compromise, they should also keep an eye out for any odd activity in the EFI System Partition and gather logs pertaining to UEFI.
To lower the risk, companies also need to use endpoint detection tools that can scan firmware, enforce stringent access controls, and adhere to security recommendations from reliable sources. Having a recovery plan that covers hardware replacement or firmware reinstallation in the event of infection is also advised.
Because it lives in the firmware, HybridPetya can endure even if the hard drive is erased or the operating system is reinstalled.This enables it to install malicious UEFI payloads that compromise the system's firmware and get around Secure Boot.
How it works
- NTFS Master File Table encryption using the Salsa20 algorithm
- Setting up a UEFI bootkit to launch before Windows loads
- CVE-2024-7344 exploit to turn off Secure Boot safeguards
- Support for recovering data after entering the decryption key
Profitable for attackers
This demonstrates that Secure Boot bypasses are not only feasible, but are also growing in popularity and allure for both researchers and attackers.
Attackers find UEFI, the replacement for the Basic Input/Output System (BIOS), to be a lucrative target. Because UEFI runs before a machine's operating system on startup, malware capable of infecting the boot process allows it to bypass traditional security software, execute malicious code with high-level privileges, and make it extremely stealthy and resilient to removal.
How to remove HybridPetya
After infecting a system, Petya is challenging to remove, just like the majority of ransomware. Usually, the victim must choose between wiping everything out and recovering it from backup or paying the ransom in the hopes of actually obtaining the encryption key. The best approach to avoid ransomware altogether. Here’s what to do before, during and after an attack.
Restoring everything from backup is the only method to fully recover from a ransomware infection. Paying the ransom, however, might make more operational and financial sense even with recent backups.
After AttackTo
identify potential threats that might still exist in your environment, we
advise a comprehensive security assessment. Take a hard look at your security
tools and procedures—and where they fell short. |
|
|
Cleanup |
Post-mortem Review |
|
Assess User Awareness |
Education & Training |
|
Reinforce Your Defenses |
Review Risk |
Serious concrens
In other words, the deployed UEFI application is the central component that takes care of encrypting the Master File Table (MFT) file, which contains metadata related to all the files on the NTFS-formatted partition.
Important Takeaways
- HybridPetya combines Petya ransomware with NotPetya’s destructive features.
- It bypasses UEFI Secure Boot using a patched vulnerability.
- ESET warns it could persist even after OS reinstalls.
See Also Why Active Directory Needs Protection
Seek out security solutions that can adapt to new and emerging threats and help you respond to them faster.
HybridPetya Ransomware Bypasses UEFI
Reviewed by All About Security
on
September 20, 2025
Rating:
Reviewed by All About Security
on
September 20, 2025
Rating:
No comments: